Hillary Clinton’s use of a private email server was arrogant and either stupid or devious, but it’s only one piece of the government’s ineptitude in electronic communications. Think about it; during her entire tenure as Secretary of State, government employees were getting mail purporting to be from her, yet coming not from a state.gov address, but from hdr22@clintonemail.com, and nobody — not even the president — raised any questions! This is possible only in a culture that’s utterly oblivious to security.

The domain clintonemail.com is registered to a Florida company called Perfect Privacy, LLC. Anyone can examine the domain’s “whois” records over the Internet, and they have no indication that Hillary Clinton has any connection to them. There’s nothing wrong with anonymizing a domain registration; I do that myself because I don’t want my phone number published. The problem is that it gives no confidence that the address really belongs to Clinton. Clinton is a far more attractive target for impersonation attacks than I am, and even I’ve been hit by them.

Obama sent email to clintonemail.com on multiple occasions yet was allegedly unaware he wasn’t sending it to a State Department address. This is impossible. Obama may be an “idiot,” but he isn’t literally an idiot. He attributed Clinton’s setting up a private server to “carelessness,” as if she just woke up one morning and failed to notice the new computer in her home office that was now handling all her email. It took massive amounts of looking the other way for the server not to become an issue during her tenure.

Details on how she set up her email are scant. Perfect Privacy’s FAQ says that it filters all incoming email, so all mail sent to her address first went through Perfect Privacy’s filters. It’s not an Internet service provider, though, so it didn’t provide her with a mail server and wouldn’t have seen her outgoing mail. The SMTP server — the thing that sends mail to the Internet — ran on her own computer. Running your own SMTP server can be very secure, if you know what you’re doing and have full-time staff to configure it against unauthorized use, watch out for breaches, and apply all patches, but it appears that Clinton didn’t do that. GMail and other mail hosts provide server-to-server encryption, which is much better than none at all. I’ve seen no indication that Clinton’s server did.

But the bigger problem goes beyond Clinton. Email is inherently insecure unless it’s encrypted end-to-end, which it rarely is. It’s not clear that the State Department’s security was much better than hers. AP reports that “The State Department’s compliance with federal cybersecurity standards was below average when Clinton took over but grew worse in each year of her tenure.” If it had improved while she was in office, she might have a case that she didn’t trust its security and pulled out while working to improve it, but it actually declined. If Clinton couldn’t get the State Department to get its security in order, how much hope is there that she managed a private server securely?

Really, you just shouldn’t use email to send highly sensitive information. There are lots of messaging applications which offer decent security. A Time article on email security says “there’s no way of knowing which governmental agency has good email security and which doesn’t, because, for security purposes, they don’t typically reveal their protocols.” Security through obscurity. The Internet’s email protocols were designed in a time when no one thought about security, and they haven’t changed much since then. A message usually hops through several servers on its way, so interception isn’t difficult. It has no built-in authentication, so impersonation is even easier. And as Obama demonstrated, most people in government don’t even care when they get email from an unfamiliar address.

Clinton’s handling of her email was egregious, but it was merely the worst of a large body of ineptitude and negligence.